I have come accross a problem I have not been able to resolve. I am attempting to create a Samba ADS Domain Membership machine to authenticate users which will be accessing the shares on the Samba server from a combination of Active Directory and Kerberos. The problem I am experiencing is stemming from following the directions for the "Create the Computer Account" in chapter 6 part II of the Samba-Howto. The last command says it is possible to create a machine trust account in a container called servers under a different OU. ex: root# net ads join "Computer\BusinessUnit\Department\Servers" Here are the steps I have taken, I have joined the Samba machine to the domain using the "net ads join -U<username>" command. I have configured the /etc/krb5.conf to mimic our network environment as well as the nsswitch.conf, I am able to run the command "getent passwd" and I can see users, however the problem is they are not the correct users. After running the command I described above "net ads join "Computer\BusinessUnit\Department\Servers"" I can only view and authenticate users in the OU. I have attempted the following, removed the comupter trust account from the active directory, let the AD replicate and rejoined the domain only to have the same OU show up as default. I have removed Samba, Winbind packages from the machine, changed the machine name, as well as any temporary files for samba and winbind, let the machine sit without any domain interaction for 3 days to make sure it was removed the computer trust account and all without any success. Any assistance with this problem is definately appreciated. I am including the /etc/samba/smb.conf and the /etc/krb5.conf. Again any help is appreciated. [smb.conf] [global] # # Network configuration # server string = doc-odin.domain.com workgroup = DOMAIN netbios name = DOC-ODIN realm = DOMAIN security = ADS password server = server.domain.com server2.domain.com # # Domain configuation options # prefered master = no local master = no domain master = no prefered master = no domain logons = no # # Security options # encrypt passwords = yes update encrypted = yes password level = 20 # # Winbind options # # winbind use default domain = no winbind cache time = 5 winbind separator = / winbind enum users = no winbind enum groups = no winbind nested groups = yes # # User/Group mapping options # idmap uid = 500-500000 idmap gid = 500-500000 add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ # # LDAP/AD configuration options # passdb backend = ldapsam:LDAP://server2.domain.com ldap admin dn = "cn=readonly,cn=users,dc=domain,dc=com ldap user suffix = cn=users ldap group suffix = ou=groups ldap suffix = dc=domain,dc=com ldap delete dn = no use spnego = yes # # Networking options # hide unreadable = no wins support = no dns proxy = no interfaces = eth* lo bind interfaces only = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 hosts deny = 0.0.0.0/0 # # Miscellaneous options # os level = 20 template shell = /bin/false template homedir = /odin/%D/%U load printers = no # # Logging options # log level = 1 ads:5 auth:5 sam:5 rpc:5 [krb5.conf] [libdefaults] default_realm = DOMAIN.COM clockskew = 300 default_tgs_enctypes = rc4-hmac des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-md5 [realms] UTAH.EDU = { kdc = 192.168.0.2 default_domain = domain.com admin_server = 192.168.0.2 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } -- Jason Gerfen "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK